Tag Archives: Privacy

Making Privacy Obvious to Everyone

Privacy and User agreements: We agree to them without a single thought and certainly never ever read them. Let’s start with a quick background. Since the early days of the software industry — like the days when software came in boxes — users were presented with a legal agreement to use software. It is not uncommon for the legal documents to ramble on and on for pages. All you really need to know is there’s a good chance that “you’re on your own” if you use the software.

Fast forward to the internet age. Since virtually every app or service we use today is free, software companies came up with a Privacy Agreement that basically gives them permission to use your data in unprivate ways. Monetizing user data is THE business model of the internet age so as the saying goes, “if the product is free, then you are the product.” Use Facebook, and all that data about you is used by Facebook to sell ads. Same for Google, Twitter, YouTube, and on and on. By the way this extends to “apps” like Amazon where your Shopping Cart contents are widely shared with ad networks.

If people actually realized what was going on with their privacy, they might change their behavior. There are three primary questions users should want answered by these types of agreements:

  1. Can the service provider ever read my data or is it encrypted?
  2. Where is my data stored? On my device, in the cloud, or both?
  3. Does the service provider monetize my data?

Why not come up with a simplified labeling requirement for internet service agreements? This idea could be used for ISPs, your mobile carrier, the apps you use online, and then all the way down to the search engine you use.

Each of three questions have two or three states so it’s a pretty simple iconography problem. Above is a terrible sketch of what I’m thinking. I bet with no other info, you can figure out which one is Facebook and which one is a my Alarm Clock. Put it at the top of the agreement and allow new users to read the entire agreement if they want, but at least they would get the top-level questions answered before they start using the product.

Would this idea make privacy more obvious to the masses? For the longest time if you wanted nutritional information at places like McDonald’s you had to request what was a very large foldout poster of mountains of information. I’m sure it cost McDonald’s a fortune to print and keep these things in stock in thousands of locations. Today, their menu above the counter already includes the key metric you’re mostly likely wanting to know: calories. And yes, that info has changed my behavior. I don’t get to McDonald’s often, but it’s a real drag that my favorites are obviously the worse for me as well.

Legislation might be required to get providers to make this change. I’m okay with that. Users have a right to know, and I also believe vendors have the responsibility to transparently disclose how they use my data. It was my data in the first place.

Privacy: Social Cause or Business Imperative?

Does your company have NDAs or Confidentiality Agreements? If you do, then your company understands privacy is a business imperative.

For most of us, privacy is a social cause; a way of life that protects a basic civic liberty. But online privacy isn’t just a social cause. It’s also a business imperative. And encryption is one of the easiest ways to protect our livelihood. But first back to business imperatives…

Does your company lock the front door at night? Does it have locks on personnel files? Does your company have non-disclosure agreements? Does it have confidentiality agreements for vendors and employees? Does it secure the WiFi network with a password? Do you need a password to login to email?

If you answered “Yes” to any (and I bet you answered “Yes” to all) of these questions, your workplace understands the business imperative of privacy. You don’t have to be Silicon Valley startup or Apple to be paranoid about the future of your business. These privacy policies are designed to protect the company, its assets, your stockholders, and frankly your own job and livelihood.

Let’s be honest, most businesses shouldn’t be that worried about hackers, foreign operatives, and compromised credit card records. It’s the other very real things that will more likely kill your business or/and ruin your career, things like theft, corporate espionage, ransomware, litigation from former employees, and workplace morale. Also don’t forget information leakage from BYOD, mobile, and the informality of most electronic conversations. The volumes and volumes and volumes of plain text information shared, discoverable, and hosted in the cloud will be the next gold rush for litigators. Just ask Sony or Gawker .

Yes, corporate privacy is more than IT security. It is everything the company does after it secures the network with taller walls and wider moats. Encryption of business information is the simplest and best method of protection. And many argue if your data is encrypted and unreadable by any actor, either inside or outside your network, you can always sleep at night knowing you are safe again.

Privacy is a 7×24 business imperative. We need to move away from “Do you care about privacy?” and move toward “What are you going to do today to better protect your business?”

Slack’s Top 5 Privacy Mistakes Competitors Can’t Make

Everyone makes mistakes. I do too. But when it comes to privacy, uses should keep their guard up and most businesses who collaborate online will appreciate it.


Slack is a great product and people love it. I get it. I think it’s great fun too, but it’s just not suited for business collaboration.

There are some popular features in Slack that competitors should avoid if they care about user privacy.

1. The Browser “Playground”

Your browser is a vulnerable place. Think of it as a public playground where every website you’ve ever visited has left its germs and viruses. There are countless security vulnerabilities with deploying an application through the browser; everything from the browser itself, to your security settings, plugins, extensions, the code from every website you visit, and the cookies that track you. With one click, malware can easily get installed on your computer so while there are things you can do to try to protect your activity online, sometimes that’s just not enough.

2. Integrations

Integrations are small applications that extend the functionality of a platform. Slack impressively boasts both a marketplace and investment fund to get more Integrations built for Slack. Most every Integration people use is hosted by Slack meaning every bit and byte that comes through an Integration can be read by Slack. (But I guess if you’re already using Slack heavily, you’re already okay with their ability to read every bit and byte).

3. Inline Pixie Dust

Most collaboration tools will overload posts that include URLs with metadata like images, titles, source content, and icons. This is also true of fun features like Giphy. While it might make the timeline more visually interesting, because you deserve, competitors should not offer this feature.

Here’s the issue: By implementing inline pixie dust, all of this content would get automatically downloaded to your device and you couldn’t control it. Clickable URLs are fine since the user is in control since meaning you choose when you want to visit a site.

4. Email Digests

For those not familiar, lots of products use email digests as a way to summarize a day’s worth of conversations into one quick scannable list sent to your inbox at the end of each day.

The problem? When a team has a conversation, it would be a critical privacy compromise that one/some/all of that team now have those same messages sent over the internet in an email. Email is one of the most vulnerable methods of communication, with a 789% year-over-year spike in malware and phishing. People set weak passwords, which are easily hacked and constantly stolen (remember the 1.6 billion passwords stolen two years ago?). All you need to do it look at the news for the latest email scandal (this week, the DNC was hacked and the Russians stole and exposed their opposition research on Trump).

There is certainly value in having a quick way to “get back up to speed” and we plan to build a “While you were away” feature in Semaphor that gives users the same benefit without compromising the privacy of your conversations.

5. Presence

Is so-and-so online? Presence allows users to passively know if another user is on/offline. Unlike the above features, we are giving serious thought to adding this feature to Semaphor — it is quite handy. That said, it will most certainly be implemented in a privacy-minded way. Does everyone on your team want everyone else on the team to know they are online? Should this summer’s intern know the CEO of your multinational company is “In a Meeting?” This level of transparency has benefits, but it needs to be controlled by users. Defaults should be set to Hidden, and only the user should be able to opt-in to such a feature.

“Yeah, we ditched Google.”

Why SpiderOak made a conscious decision to break up with Analytics

Most reports indicate Google has over 70% share of the analytics marketplace. Does that jeopardize our privacy?

After we gave it some more thought, we realized we were hypocrites. Since inception, SpiderOak has been an advocate for online privacy. Unlike many others in our market, we strive to be very clear about how our product design truly delivers Zero Knowledge privacy for our users. We tell potential supporters, what matters most is who has the keys and how they are stored. But you can read more about how we solved those problems from our many other posts our site.

For the past five years, we had been using Google Analytics for monitoring our web traffic. Innocent enough decision, right? Then we asked ourselves, “are we contributing to the mass surveillance of the web by using a feature-rich, yet free service that tracks web visitors?” Sadly. we didn’t like the answer to that question. “Yes, by using Google Analytics, we are furthering the erosion of privacy on the web.”

Most people might say, “well it’s only a cookie,” or “I don’t have anything to hide.” Yes our site is only one short stop you might make today while browsing the web, but why does Google and their advertisers need to know about it I would ask. Most of us visit scores of websites each day. The fabric behind the scenes that stitches a stunningly detailed history of your online day is Google Analytics. Even if you don’t have a Google account, or don’t stay logged into Gmail, your browsing history every single day is tracked across sites that include the JavaScript library.

So a few months ago we decided we were wrong and Google Analytics had to go.

Like lots of other companies with high traffic websites, we are a technology company; one with a deep team of software developer expertise. It took us only a few weeks to write our home-brew analytics package. Nothing super fancy yet now we have an internal dashboard that shows the entire company much of what we used analytics for anyway – and with some nice integration with some of our other systems too.

Some of us still have Gmail accounts and others keep using Chrome. Google makes good products. But where SpiderOak decided to draw the line was with the privacy of our current and soon to be customers. You deserve a choice when it comes to privacy online and we realized we could do better by not contributing to your browsing history with Google. And now that we’ve fixed that, we can sleep at night.
Be safe out there.